b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       Improvements Needed in\n       Key EPA Information System\n       Security Practices\n       Report No. 10-P-0146\n\n       June 15, 2010\n\x0cAbbreviations\n\nAO          Authorizing Official\nASSERT      Automated System Security Evaluation and Remediation Tracking\nCA          Certification Agent\nC&A         Certification and Accreditation\nCIO         Chief Information Officer\nEPA         U.S. Environmental Protection Agency\nFISMA       Federal Information Security Management Act\nGAO         U.S. Government Accountability Office\nIV&V        Independent Verification and Validation\nNIST        National Institute of Standards and Technology\nOEI         Office of Environmental Information\nOIG         Office of Inspector General\nOMB         Office of Management and Budget\nOTOP        Office of Technology Operations and Planning\nPOA&M       Plan of Actions and Milestones\nREAD        Registry of EPA\xe2\x80\x99s Applications and Databases\nTISS        Technology and Information Security Staff\n\x0c                       U.S. Environmental Protection Agency \t                                             10-P-0146\n                                                                                                       June 15, 2010\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                           Catalyst for Improving the Environment\n\n\nWhy We Did This Review            Improvements Needed in Key EPA\nThe Office of Inspector\n                                  Information System Security Practices\nGeneral contracted with\nWilliams, Adley & Company,         What Williams, Adley & Company, LLP, Found\nLLP, to perform an\nindependent review of the         Williams Adley found that EPA program offices lacked evidence that they\nU.S. Environmental Protection     planned and executed tests of information system security controls as required by\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s) information      federal requirements. In addition, Williams Adley found that contingency plans\nsecurity program to determine     developed and maintained by program offices were not current and accurate, and\nwhether it meets the              the certification and accreditation process and review of security plans needed\nrequirements of the Federal       improvements. EPA also had two authoritative system inventories that did not\nInformation Security              reconcile. Finally, EPA had contractor-owned and -operated systems in operation\nManagement Act.                   without proper oversight monitoring.\n\nBackground                         What Williams, Adley & Company, LLP, Recommends\n\nThe Federal Information           Williams Adley\xe2\x80\x99s recommendations to the Director of the Office of Technology\nSecurity Management Act           Operations and Planning include communicating and training EPA\xe2\x80\x99s information\nrequires inspectors general, or   security community on testing and documenting information systems security\nthe independent evaluators        controls. Williams Adley also recommends the Director enhance the quality\nthey choose, to perform an        assurance process to verify that self-assessments evaluate all required security\nannual evaluation of their        controls.\nagencies\xe2\x80\x99 information security\nprograms and practices.           Williams Adley recommends that the Principal Deputy Assistant Administrator of\n                                  Environmental Information and Deputy Chief Information Officer direct offices to\n                                  design and implement a process to perform a periodic reconciliation between its\n                                  two authoritative system inventories.\n\nFor further information,          Agency officials did not provide comments to the draft audit report and indicated\ncontact our Office of             they will provide a response to the final report.\nCongressional, Public Affairs\nand Management at\n(202) 566-2391.\n\nTo view the full report,\nclick on the following link:\nwww.epa.gov/oig/reports/2010/\n20100615-10-P-0146.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                      OFFICE OF\n                                                                                 INSPECTOR GENERAL\n\n\n\n                                         June 15, 2010\n\nMEMORANDUM\n\nSUBJECT:\t Improvements Needed in Key EPA Information System Security Practices\n          Report No. 10-P-0146\n\n\nFROM:\t         Rudolph M. Brevard\n               Director, Information Resources Management Assessments\n               Office of Mission Systems\n\nTO: \t          Linda A. Travers\n               Principal Deputy Assistant Administrator for Environmental Information\n               and Deputy Chief Information Officer\n\n               Vaughn Noga\n               Director, Office of Technology Operations and Planning\n               Office of Environmental Information\n\n\nThis is the report on the subject audit prepared by Williams, Adley and Company, LLP, on\nbehalf of the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency\n(EPA). Williams Adley prepared this report as part of its review of EPA\xe2\x80\x99s information security\nprogram for Fiscal Year 2009 as required by the Federal Information Security Management Act.\nThis report contains findings that describe the problems Williams Adley identified and corrective\nactions Williams Adley recommends. This report represents the opinions of Williams Adley and\ndoes not necessarily represent the final EPA position. Final determinations of matters in this\nreport will be made by EPA managers in accordance with established audit resolution\nprocedures.\n\nThe estimated cost of this report \xe2\x80\x93 which includes contract costs and OIG\xe2\x80\x99s contract\nmanagement oversight \xe2\x80\x93 is $136,242.\n\nAction Required\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective action plan for agreed-upon\n\x0cactions, including milestone dates. We have no objections to the further release of this report to\nthe public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at (202) 566-0893\nor brevard.rudy@epa.gov, or Cheryl Reid at (919) 541-2256 or reid.cheryl@epa.gov.\n\x0c                                         June 15, 2010\n\nMEMORANDUM\n\nSUBJECT:\t Improvements Needed in Key EPA Information System Security Practices\n          Report No. 10-P-0146\n\nFROM:\t        Robert J. Fulkerson\n              Director IT Assurance and Business Solutions\n              Williams, Adley & Company, LLP\n\nTHRU: \t       Rudolph M. Brevard\n              Director, Information Resources Management Assessments\n              Office of Inspector General\n\nTO:\t          Linda A. Travers\n              Principal Deputy Assistant Administrator for Environmental Information\n              and Deputy Chief Information Officer\n\n\nThis is our final report on the review of the U.S. Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)\ninformation security program as required by the Federal Information Security Management Act.\nWilliams, Adley & Company LLP conducted this audit on behalf of the EPA Office of Inspector\nGeneral (OIG). This report outlines weaknesses found and recommendations to correct the noted\nweaknesses.\n\nWe would like to thank your staff for their cooperation throughout the audit process. Please\ncontact the EPA OIG for further information related to this report.\n\x0cImprovements Needed in Key EPA Information System                                                                             10-P-0146\nSecurity Practices\n\n\n                                      Table of Contents \n\n   Purpose........................................................................................................................     1         \n\n\n   Noteworthy Achievements .........................................................................................                   1         \n\n\n   Findings .......................................................................................................................    1         \n\n\n           Documenting Information Systems Security Controls Testing\n\n                 Needs Improvement ....................................................................................               2              \n\n           Contingency Planning Practices Need Improvement ...........................................                                3\n\n           Review Process for Certification and Accreditation and \n\n                 Security Plans Needs Improvement ............................................................                        4\n\n           Contractor Oversight Needs Improvement...........................................................                          5\n\n           Practices Used to Identify All EPA Systems Need Improvement .........................                                      5\n\n\n   Agency Comments and OIG Evaluation ..................................................................                               6 \n\n\n   Recommendations .....................................................................................................               6         \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                            7          \n\n\n\n\nAppendices \n\n   A       Scope and Methodology....................................................................................                   8         \n\n\n   B       Description of ASSERT and READ Systems ...................................................                                 10     \n\n\n   C       Distribution .........................................................................................................     11     \n\n\x0c                                                                                         10-P-0146\n\n\nPurpose\nAs part of the Fiscal Year 2009 Federal Information Security Management Act (FISMA) review,\nthe Office of Inspector General (OIG) tasked Williams, Adley and Company, LLP, to review and\nassess the U.S. Environmental Protection Agency\xe2\x80\x99s (EPA) information security program and\nannual reporting to the Office of Management and Budget (OMB) on the effectiveness of the\ninformation system security program.\n\nWilliams Adley conducted this review in accordance with generally accepted government\nauditing standards. These standards require that Williams Adley plan and perform the audit to\nobtain sufficient and appropriate evidence to provide a reasonable basis for their findings and\nconclusions based on the audit objectives. Williams Adley believes the evidence obtained\nprovides a reasonable basis for our findings and conclusions.\n\nAppendix A describes the detailed Scope and Methodology of this review.\n\nNoteworthy Achievements\n\nEPA\xe2\x80\x99s management officials indicated that they have taken the following actions to improve the\nAgency\xe2\x80\x99s information security program:\n\n\xe2\x80\xa2\t Executed contractual agreements to review all certification and accreditation (C&A)\n   packages.\n\xe2\x80\xa2\t Implemented \xe2\x80\x9con-site\xe2\x80\x9d training of Agency personnel on preparing C&A system\n   documentation and managing associated plans of actions and milestones (POA&Ms).\n\xe2\x80\xa2\t Increased its independent verification and validation activities (IV&V) to review 10 percent\n   of the Agency\xe2\x80\x99s information systems.\n\xe2\x80\xa2\t Procured an automated C&A tool that will require all C&A artifacts to be published, stored,\n   and maintained within EPA\xe2\x80\x99s Automated System Security Evaluation and Remediation\n   Tracking (ASSERT) system.\n\nFindings\nStrengthening of managerial controls is needed to ensure delegated information security\nactivities are carried out as intended. EPA delegates implementation of its information security\npractices to senior managers throughout the Agency. While many offices have practices in\nplace, our review disclosed that personnel with significant security responsibilities continue to\nface challenges in demonstrating that they executed required tasks. In particular, offices lacked:\n\n\xe2\x80\xa2\t Evidence that testing of information systems security controls took place as required by\n   federal guidance,\n\xe2\x80\xa2\t Contingency plan testing on an annual basis,\n\xe2\x80\xa2\t Practices to ensure an Authorizing Official (AO) receives credible information to make risk-\n   based decisions, and\n\n\n\n\n                                                 1\n\n\x0c                                                                                          10-P-0146\n\n\n\xe2\x80\xa2\t Internal controls to ensure personnel are familiar with their duties and responsibilities for\n   overseeing EPA-owned and contractor-operated systems.\n\nOMB, National Institute of Standards and Technology (NIST), and EPA guidance outline\nrequirements for key information security activities. EPA also implemented a quality assurance\nprogram to verify the effectiveness of information security practices. However, in general, EPA\noffices did not put the emphasis on performing and documenting accomplishment of these\ncritical information security processes. Testing of security controls and continuity plans, and\ninforming AOs about potential threats provide the framework for EPA offices to apply risk\nmitigation strategies. Without performing these tasks fully, management is not presented with\nthe information needed to make informed decisions about the amount of risks they are willing to\nassume for continued operations of their network-attached resources and what steps they should\ntake to reduce their risks. Furthermore, without having personnel knowledgeable of their\ncontractor oversight responsibilities, EPA faces the potential that threats to its networked-\nattached resources could exist without management having the opportunity to mitigate them.\n\nAdditionally, our review disclosed that the Office of Environmental Information (OEI) lacked an\noversight process to reconcile two databases used to inventory Agency systems and applications.\nThese two databases represent the inventory of known EPA databases and applications. Without\nreconciling these inventories, management increases the potential that it may not have taken\nappropriate risk mitigation actions because they were not aware the threat existed. Additionally,\nprior audit reports highlighted areas of concern with EPA\xe2\x80\x99s quality assurance program that\nmanagement should take steps to correct. Having a quality assurance program that focuses on\nensuring security-related activities are designed and executed as intended helps management\nobtain greater assurance that critical security steps are taking place as management intended.\n\nDocumenting Information Systems Security Controls Testing Needs Improvement\n\nEPA program offices were not maintaining documentation that demonstrates testing of security\ncontrols was performed as prescribed in NIST Special Publication 800-37, Guide for Applying\nthe Risk Management Framework to Federal Information Systems, as follows:\n\n\xe2\x80\xa2\t AO or designated representative determined the required level of independence for security\n   control assessors based on the results of the security categorization process.\n\xe2\x80\xa2\t Systems managed by third party service providers were tested independently.\n\xe2\x80\xa2\t Certification Agent (CA) certified that the security controls documented in the System\n   Security Planning Package were correct.\n\xe2\x80\xa2\t CA notified the Information System Security Officer of the results and recommended\n   changes. (The Information System Security Officer is responsible for updating and\n   maintaining the system documentation.)\n\nOur tests revealed information missing in the documentation:\n\n\xe2\x80\xa2\t The office tested all minimally required security controls as prescribed by NIST within the\n   last three years.\n\n\n\n                                                 2\n\n\x0c                                                                                          10-P-0146\n\n\n\xe2\x80\xa2\t Tests of systems managed by third party service providers were performed by an independent\n   party as required by NIST.\n\xe2\x80\xa2\t System tests were conducted and signed off by multiple individuals. Security documentation\n   for 10 of the 19 systems reviewed showed that the same individual who evaluated the\n   system\xe2\x80\x99s security controls also signed off on the test results.\n\nEPA\xe2\x80\x99s C&A procedures state that the AO is responsible for operating an information system at\nan acceptable level of risk to agency, assets, or individuals. As such, the AO determines if the\nlevel of independence is sufficient to provide confidence that the assessment results can be used\nto make a risk-based decision on whether to place the information system into operation or\ncontinued operation. Incomplete documentation increases the risks that the AO may authorize\nthe system for processing without adequate knowledge of security weaknesses associated with a\ncritical risk-based decision.\n\nEPA implemented a quality assurance process to review IV&V and C&A reports that program\noffices generate as a result of system testing. However, these efforts are only applied to new\nIV&V tests and C&A reports. Therefore, there is limited validation to ensure all EPA systems\nare tested on a regular basis and oversight activities rely heavily on self-reported information\nprogram offices provide. Furthermore, the quality assurance process lacks an emphasis on\nensuring that EPA offices plan and execute security testing according to federal guidance\nbecause test results and activities are reviewed after they have already occurred. Thereby, the\nquality assurance process misses the opportunity to ensure that the limited resources dedicated to\ninformation systems security are achieving the greatest impact for the Agency.\n\nEPA OIG Report No. 10-P-0058, Self-reported Data Unreliable for Assessing EPA\xe2\x80\x99s Computer\nSecurity Program, February 2, 2010, highlights concerns with EPA\xe2\x80\x99s quality assurance program\nand made recommendations. Taking steps to correct previously reported weaknesses as well as\nthose highlighted in this report should help management gain greater confidence in the security\ncontrol testing information used for deciding whether to authorize a system for operation.\n\nContingency Planning Practices Need Improvement\n\nEPA has not established the necessary controls to ensure compliance with NIST requirements\nand EPA policies for annual testing of contingency plans. Current EPA procedures and\nprocesses do not ensure that unsuccessful tests are addressed in a timely manner and all\nstakeholders are adequately informed of testing results in a timely manner.\n\nFor the 19 systems selected for testing, the following observations were noted:\n\n\xe2\x80\xa2\t   Contingency plans were not current and have not been fully implemented.\n\xe2\x80\xa2\t   Documentation did not include testing results and lessons learned.\n\xe2\x80\xa2\t   Testing plans and procedures did not address the causes for failure.\n\xe2\x80\xa2\t   Testing plans and results were not signed by AOs.\n\nThe lack of a comprehensive contingency plan increases the risks that the Agency may not\nrecover its mission critical systems from a significant disruption to meet its business mission in a\n\n\n                                                 3\n\n\x0c                                                                                             10-P-0146\n\n\ntimely manner. According to NIST Special Publication 800-34, Contingency Planning Guide for\nInformation Technology Systems, testing should occur at least annually or when significant\nchanges are made to the system, business process, or contingency assumptions. Testing results\nand lessons learned should be documented and reviewed by participants and other key personnel\nas appropriate. In addition, the EPA procedural guidelines state that the plan, recovery\ncapabilities, and personnel are tested annually to identify weaknesses.\n\nReview Process for Certification and Accreditation and Security Plans Needs\nImprovement\n\nEPA needs to improve its quality assurance procedures to ensure C&A documents and security\nplans are current, properly approved by authorized personnel, and clearly define and delegate\nauthorities. For the 19 systems selected for testing, we identified the following observations of\nC&A:\n\n\xe2\x80\xa2\t Information System Security Officers did not ensure C&A security documents were current,\n   documented, and authorized in compliance with regulatory requirements.\n\xe2\x80\xa2\t Information System Security Officers did not update ASSERT to match current C&A\n   security documents.\n\xe2\x80\xa2\t EPA did not provide a signature on contractor C&A supporting documents.\n\nFor the 19 system selected for testing, we identified the following observations for the security\nplans:\n\n\xe2\x80\xa2\t Security roles and responsibilities are not properly defined.\n\xe2\x80\xa2\t Delegation memorandums for assigning responsibility are not signed by an authorizing agent.\n\xe2\x80\xa2\t Authorization for contractor assignment of responsibility and delegation of authority was not\n   documented and approved.\n\xe2\x80\xa2\t A delegation memorandum is not maintained in ASSERT.\n\xe2\x80\xa2\t Security plans are not current.\n\xe2\x80\xa2\t Points of contacts are not updated in a timely manner.\n\nNIST Special Publication 800-37, Guide for the Security Certification and Accreditation of\nFederal Information Systems, requires independent certification for systems with a risk category\nrating of high or moderate. Each phase in the C&A process must consist of well-defined tasks\nand subtasks that are to be carried out, as indicated, by responsible individuals. Agency officials\nmay appoint appropriately qualified individuals, to include contractors, to perform the activities\nassociated with any security C&A role with the exception of the Chief Information Officer and\nAO. The only activity that cannot be delegated by the AO is the security accreditation decision\nand the signing of the associated accreditation decision letter (i.e., the acceptability of risk to the\nAgency). EPA 2150.0, Agency Network Security Policy, requires that general support systems\nand major applications undergo C&A prior to connecting to EPA networks. Further, the\nsystem\xe2\x80\x99s C&A expires after three years, or sooner if a major change occurs, and all system\ninterconnections must receive written management authorization based on acceptable levels of\nrisk.\n\n\n\n                                                   4\n\n\x0c                                                                                        10-P-0146\n\n\nWithout documentation that supports and demonstrates security responsibilities and activities are\nproperly carried out, EPA increases the risk that system security controls will not be adequately\ndeveloped and implemented to effectively address the security risks. These risks include\npreventing and detecting unauthorized modification of data, unauthorized access to mission\ncritical data, financial data, and personally identifying information.\n\nContractor Oversight Needs Improvement\n\nEPA had not clearly defined contractor monitoring duties and responsibilities for contractor\noversight. Further, EPA had not provided the necessary training to Agency personnel to enable\nthem to perform oversight. For the sample of 19 systems tested, 3 systems were maintained by a\ncontractor. We noted that EPA personnel assigned responsibilities for overseeing contractors\nwere unfamiliar with their duties and documentation requirements. In one instance, the office\nhad not yet assigned monitoring to an EPA official.\n\nWithout an effective contractor oversight program, EPA increases the risks that unauthorized\nactivities may occur and go undetected, resulting in loss, destruction, theft, and misuse of\nsensitive proprietary information. In addition, EPA increases the risk that contractor system\nsecurity controls implemented by the contractor may not be effective to properly secure and\nsafeguard Agency data.\n\nPractices Used to Identify All EPA Systems Need Improvement\n\nEPA had not performed a reconciliation between EPA\xe2\x80\x99s ASSERT and Registry of EPA\xe2\x80\x99s\nApplications and Databases (READ) to identify all reportable systems (see Appendix B for\ndescriptions of ASSERT and READ systems). A review of the ASSERT and READ inventories\ndisclosed a difference of 54 systems. During our analysis, we noted EPA discontinued the\ninventory reconciliation between the two systems. In addition, the READ Administrator is\naware that READ is not current and READ does not:\n\n\xe2\x80\xa2   Reflect changes to system names.\n\xe2\x80\xa2   Reflect changes to the system status for being reportable.\n\xe2\x80\xa2   Identify reportable systems under development.\n\xe2\x80\xa2   Illustrate the status of retired reportable systems.\n\nWithin OEI, the Office of Technology Operations and Planning (OTOP) oversees ASSERT and\nthe Office of Information Collection oversees READ. Annually, the Chief Information Officer\nrequests that senior agency officials enter into READ a comprehensive listing of their\ninformation resources. Similar data calls are also made to Agency officials requesting updates to\ntheir system information in ASSERT. While EPA makes efforts to maintain the accuracy of both\ndata sources, a lack of coordination between the offices that oversee ASSERT and READ\nhinders the reconciliation between the two systems.\n\nWithout a complete and accurate inventory of all systems, EPA increases the risk that personnel\nresponsible for providing oversight of the Agency\xe2\x80\x99s information security program have the\ninformation necessary to ensure required security control activities are performed as required by\n\n\n                                                 5\n\n\x0c                                                                                       10-P-0146\n\n\nfederal requirements. Also, management may not be informed of the full scope of risks an EPA\napplication poses to the Agency\xe2\x80\x99s network so management could make risk-based decisions for\nmitigating potential threats.\n\nAgency Comments and OIG Evaluation\nThe Agency declined to provide comments to the draft audit report and indicated responses will\nbe provided for the final audit report.\n\nRecommendations\nWilliams Adley recommends the Director, Office of Technology Operations and Planning:\n\n1.\t Issue a memorandum to the EPA information security community that reiterates the\n    requirements for documenting information systems security control testing.\n2.\t Implement training on the appropriate method for documenting tests of information systems\n    security controls and incorporate this training into the Annual Information Security\n    Conference.\n3.\t Enhance the quality assurance process to verify that:\n        a.\t required security controls are evaluated annually as part of the FISMA self-\n            assessment,\n        b.\t security control evaluations are independent and testing results include a documented\n            strategy to resolve all weaknesses,\n        c.\t documentation of security controls testing is complete and adequately supports the\n            objectives,\n        d.\t testing plans and procedures address the cause for testing failures, and\n        e.\t NIST and EPA requirements for security planning, assigning security responsibilities,\n            and maintaining C&A documents (agency\xe2\x80\x99s and contractor\xe2\x80\x99s) are being followed.\n4.\t Develop and implement a procedure requiring Information System Security Officers submit\n    proposed test plans to the Director of Technology and Information Security Staff (TISS), or\n    request a waiver with justification for eliminating test(s).\n5.\t Require the Director of TISS review and approve information systems security controls test\n    plans prior to the Information System Security Officers conducting tests.\n6.\t Develop an inventory of systems that require contingency plans and maintain the status of\n    updates, test dates, testing results, and resolution required. Create POA&Ms in ASSERT, as\n    needed.\n7.\t Revise the Network Security Policy to enforce the requirements of NIST Special Publication\n    800-37, regarding responsibilities, delegation of authority, and independence.\n8.\t Design and implement a training program on requirements for monitoring contractor\n    oversight based on EPA roles and responsibilities.\n\nWilliams Adley recommends the Principal Deputy Assistant Administrator of Environmental\nInformation and Deputy Chief Information Officer:\n\n9.\t Direct the Director, OTOP and the Director, Office of Information Collection, to design and\n    implement a process to perform a periodic reconciliation of ASSERT and READ.\n\n\n                                                6\n\n\x0c                                                                                                                                           10-P-0146\n\n\n\n                               Status of Recommendations and\n                                 Potential Monetary Benefits\n                                                                                                                                    POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                                  BENEFITS (in $000s)\n\n                                                                                                                        Planned\nRec.   Page                                                                                                            Completion   Claimed    Agreed To\nNo.     No.                            Subject                            Status1          Action Official                Date      Amount      Amount\n\n 1       6\t    Issue a memorandum to the EPA information security           O       Director, Office of Technology \n\n               community that reiterates the requirements for                          Operations and Planning \n\n               documenting information systems security control\n               testing.\n\n 2       6\t    Implement training on the appropriate method for             O       Director, Office of Technology \n\n               documenting tests of information systems security                       Operations and Planning \n\n               controls and incorporate this training into the Annual\n               Information Security Conference.\n\n 3       6\t    Enhance the quality assurance process to verify that:        O       Director, Office of Technology \n\n               a. required security controls are evaluated annually as                 Operations and Planning \n\n               part of the FISMA self-assessment,\n               b. security control evaluations are independent and\n               testing results include a documented strategy to\n               resolve all weaknesses,\n               c. documentation of security controls testing is\n               complete and adequately supports the objectives,\n               d. testing plans and procedures address the cause for\n               testing failures, and\n               e. NIST and EPA requirements for security planning,\n               assigning security responsibilities, and maintaining\n               C&A documents (agency\xe2\x80\x99s and contractor\xe2\x80\x99s) are being\n               followed.\n\n 4       6\t    Develop and implement a procedure requiring                  O       Director, Office of Technology \n\n               Information System Security Officers submit proposed                    Operations and Planning \n\n               test plans to the Director of TISS, or request a waiver\n               with justification for eliminating test(s).\n\n 5       6\t    Require the Director of TISS review and approve              O       Director, Office of Technology \n\n               information systems security controls test plans prior                  Operations and Planning \n\n               to the Information System Security Officers\n               conducting tests.\n\n 6       6\t    Develop an inventory of systems that require                 O       Director, Office of Technology \n\n               contingency plans and maintain the status of updates,                   Operations and Planning \n\n               test dates, testing results and resolution required.\n               Create a POA&M in ASSERT, as needed.\n\n 7       6\t    Revise the Network Security Policy to enforce the            O       Director, Office of Technology \n\n               requirements of NIST Special Publication 800-37,                        Operations and Planning \n\n               regarding responsibilities, delegation of authority, and\n               independence.\n\n 8       6\t    Design and implement a training program on                   O       Director, Office of Technology \n\n               requirements for monitoring contractor oversight                        Operations and Planning \n\n               based on EPA roles and responsibilities.\n\n 9       6\t    Direct the Director, OTOP and the Director, Office of        O          Principal Deputy Assistant\n\n               Information Collection to design and implement a                     Administrator of Environmental \n\n               process to perform a periodic reconciliation of                       Information and Deputy Chief\n\n               ASSERT and READ.                                                            Information Officer \n\n\nO = recommendation is open with agreed-to corrective actions pending\nC = recommendation is closed with all agreed-to actions completed\nU = recommendation is undecided with resolution efforts in progress\n\n\n\n                                                                                7\n\n\x0c                                                                                           10-P-0146\n\n\n                                                                                        Appendix A\n\n                             Scope and Methodology\nWilliams Adley\xe2\x80\x99s review methodology was based on OIG reporting instructions outlined in\nOMB\xe2\x80\x99s Memorandum M-08-21, Fiscal Year 2009 Reporting Instructions for FISMA and Agency\nPrivacy Management. Williams Adley re-examined the information and updated the OIG report\nto address report requirement changes in OMB Memorandum M-09-29 Fiscal Year 2009\nReporting Instructions for Federal Information Security Management Act and Agency Privacy\nManagement, August 20, 2009, and OMB Memorandum M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information, May 22, 2007.\n\nWilliams Adley extracted a sample of 19 systems (16 Agency systems and 3 contractor-owned\nsystems) from ASSERT (as of March 19, 2009) to evaluate the effectiveness of EPA\xe2\x80\x99s policies\nand procedures based on OMB\xe2\x80\x99s FISMA fiscal year 2009 reporting instructions. The table\nbelow provides descriptive information of each system evaluated.\nTable 1: Systems Reviewed For Fiscal Year 2009 FISMA Audit\n                                                                               System         Risk\n            System Name                           Program Office                Type        Category\n Office of the Administrator Local   Office of the Administrator              Agency       Moderate\n Area Network\n APBD\\CFO LAN Container              Office of Chief Financial Officer        Agency       Moderate\n CINC\\OARM                           Office of Administration and Resources   Agency       Moderate\n                                     Management\n CIDNET                              Office of Enforcement and Compliance     Agency       Low\n                                     Assurance\n Enforcement Action Response         Region 5                                 Agency       Low\n System\n Contract Laboratory Program         Office of Solid Waste and Emergency      Agency       Moderate\n Support Systems                     Response\n Enterprise Content Management       Office of Environmental Information      Agency       Moderate\n System\n Integrated Grants Management        Office of Administration and Resources   Agency       Moderate\n System                              Management\n Inter-Agency Document Online        Office of Chief Financial Officer        Agency       Moderate\n Tracking System\n NAREL LAN                           Office of Air and Radiation              Agency       Moderate\n NERL-Athens                         Office of Research and Development       Agency       Low\n NESC Supercomputing                 Office of Environmental Information      Agency       Low\n OPRM LAN (Shared Services)          Office of Administration and Resources   Agency       Moderate\n                                     Management\n OW/OST LAN Container                Office of Water                          Agency       Moderate\n Region 8 Libby                      Region 8                                 Agency       Low\n Video Teleconferencing              Office of Environmental Information      Agency       Low\n Infrastructure\n Enforcement Support Tracking        Region 9                                 Contractor   Moderate\n System\n SRA-Verio                           Office of Environmental Information      Contractor   Moderate\n Working Capital Fund Workload       Office of Environmental Information      Contractor   Moderate\n and Billing\nSource: Williams Adley compilation from EPA ASSERT System Data.\n\n\n\n                                                    8\n\n\x0c                                                                                     10-P-0146\n\n\nWilliams Adley performed the following audit procedures:\n\xe2\x80\xa2\t Obtained and reviewed the following FISMA required documents for the 19 systems\n   (Agency and contractor managed/operated systems):\n       o\t certification and accreditation reports.\n       o\t security plans and test reports.\n       o\t contingency plans and tests.\n       o\t risk assessments.\n\n\xe2\x80\xa2\t Obtained and reviewed EPA\xe2\x80\x99s:\n      o\t POA&M process and system security categorization for compliance with Federal\n          Information Processing Standards 199, Standards for Security Categorization of\n          Federal Information and Information Systems.\n      o\t Privacy Program policies and procedures for compliance with federal laws,\n          regulations, and OMB Memorandums M-07-16, M-06-15, and M-06-16 for\n          safeguarding privacy-related information and Privacy Impact Assessments.\n\n\xe2\x80\xa2\t Assessed system documentation for compliance with:\n      o\t OMB Circular No. A-130, Management of Federal Information Resources, Appendix\n          III, Security of Federal Automated Information Resources.\n      o\t NIST Special Publication 800-34, Contingency Planning Guide for Information\n          Technology Systems.\n      o\t NIST Special Publication 800-37, Guide for the Security Certification and\n          Accreditation of Federal Information Systems.\n      o\t NIST Special Publication 800-53A, Guide for Assessing the Security Controls in\n          Federal Information Systems.\n\n\xe2\x80\xa2\t Reviewed and tested EPA\xe2\x80\x99s:\n      o\t Configuration Management processes and procedures.\n      o\t Incident Reporting policies and procedures.\n\n\xe2\x80\xa2\t Reviewed the Agency\xe2\x80\x99s Information Security Awareness Training Program to include\n   training on peer\xe2\x80\x93to-peer file sharing.\n\n\xe2\x80\xa2\t Conducted interviews with the Agency\xe2\x80\x99s program officials and senior agency officials.\n\n\xe2\x80\xa2\t Conducted internal non-intrusive network vulnerability tests at the following five EPA\n   locations:\n       o\t Headquarters in Washington, DC.\n       o\t Research Triangle Park Finance Center in Durham, North Carolina.\n       o\t National Computer Center in Durham, North Carolina.\n       o\t Region 8 in Denver, Colorado.\n       o\t Great Lakes National Program Office, located at EPA Region 5 in Chicago, Illinois.\n\n\n\n\n                                              9\n\n\x0c                                                                                      10-P-0146\n\n\n                                                                                  Appendix B\n\n          Description of ASSERT and Read Systems\nAutomated System Security Evaluation and Remediation Tracking System\n(ASSERT)\n\nEPA uses ASSERT, an on-line tool, to gather information regarding testing and evaluation of\nEPA information assets, track progress of remediation actions, and generate FISMA reports for\nEPA management. ASSERT currently contains two integrated modules (security self-\nassessments and remediation tracking) and a third semi-standalone module (system\ncategorization). The ASSERT security assessment module allows Information System Security\nOfficers to enter information to complete their assessment. The remediation module in ASSERT\nallows Information System Security Officers to enter and update POA&Ms to remediate\ninformation technology weaknesses identified.\n\nThe system also provides EPA management the ability to monitor activities on-line as updates\noccur. The module includes an EPA standardized approach for developing POA&M corrective\naction responses to address in a timely manner the weaknesses discovered during any type of\nassessment or security review conducted for an Agency information technology asset. ASSERT\nis EPA\xe2\x80\x99s system of record for FISMA reporting.\n\nRegistry of EPA\xe2\x80\x99s Applications and Databases (READ)\n\nThe READ system is a repository for all EPA systems that includes systems reportable to\nFISMA and non-reportable systems. READ is considered the authoritative source for all EPA\ninformation systems. Each information resource (application/system, dataset, or model) is to\nhave a record in READ. The record includes information such as: title, acronym, description,\ncontact information, and organization that owns or operates the system. READ shows the\ngovernmental statute supported by the system, life cycle information, and access information.\n\n\n\n\n                                              10 \n\n\x0c                                                                                    10-P-0146\n\n\n                                                                                Appendix C\n\n                                    Distribution\nOffice of the Administrator\nPrincipal Deputy Assistant Administrator for Environmental Information and\n       Deputy Chief Information Officer\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Director, Technology and Information Security Staff, Office of\n       Environmental Information\nAudit Follow-up Coordinator, Office of Environmental Information\nAudit Follow-up Coordinator, Office of Technology Operations and Planning,\n       Office of Environmental Information\nAudit Follow-up Coordinator, Technology and Information Security Staff,\n       Office of Environmental Information\nActing Inspector General\n\n\n\n\n                                             11 \n\n\x0c'